Three Security Packages for the Public Sector

The  public  sector  is  an  interesting,  important  and  really  tough  market  to  work  with.  You  can  verify  this  by  asking  your vendors  how  they  feel  about  working  in  “SLED”:  State,  Local  and  Educational.  They’ll  talk  about  thin  and  biennial budgets, government procurement rules and political and labor overlays.

And   yet,   we   picked   this   market   preferentially.   Why?   Because   we   have   kids.   Because   clean   water,   emergency management,  and  communication  systems  for  public  safety  are  far  more  important  than  credit  cards.  Yes,  the  public sector  holds  personally  identifiable  information,  health  records  and  cardholder  data  and  those  are  important  as security  drivers  (no  one  wants  to  be  “above  the  fold”),  but  the  real  exposures  are  the  ones  that  can  result  in  loss  of  life if disrupted.

So  our  challenge  is  to  come  up  with  security  services  that  are  focused  on  the  right  things,  provide  demonstrable value,  and  help  with  moving  the  conversation  forward  about  securing  the  critical  assets  that  are  managed  by  the public sector – while addressing the difficulties in projecting the need for security to electeds and executives.

So  here  are  three  packages  that  do  just  that.  These  are  meant  to  assist  with  establishing  a  security  baseline  and budget  priorities,  identifying  low-hanging  fruit  for  quick  wins,  and  addressing  compliance  requirements  that  apply  to HIPAA,  CJIS,  and  PCI.  And  while  pricing  depends  on  scope,  these  are  normally  below  the  threshold  for  competitive procurement.

Focused Security Assessment

This  is  against  standards  of  practice  and  regulatory  requirements  that  apply  to  your  organization.  The  assessment  is crafted  to  address  exactly  the  issues  on  which  you  need  to  elevate  attention.  If  you’re  having  a  problem  with  payment systems  that  store  cardholder  data,  we  put  PCI  issues  in  scope.  If  you’re  concerned  about  the  storage  of  health  data, we  integrate  HIPAA  issues  into  the  assessment.  The  deliverable  is  a  driver  for  budget  requests  and  prioritization,  and establishes a baseline against which you can show progress over time.

Packet Capture and Analysis

Using  our  custom  packet-capture  platform,  we’ll  pull  traffic  from  your  network  onto  an  encrypted  drive  for  a  period  of 3-5  days.  This  comes  back  to  the  MKH&A  lab,  and  is  run  through  our  OSMOSIS  threat  identification  platform,  and interesting  findings  investigated  by  an  MKH&A  analyst.  The  analysis  will  identify  compromised  assets  in  your  network, attacks  in  progress,  data  exfiltration  events,  and  network  device  configuration  issues.  This  information  can  be  used  to identify control deficiencies, the need for user education, and the value of monitoring.

Security Awareness Training

Awareness  training  is  a  component  of  nearly  every  security  regulatory  regime,  because  users  are  your  biggest exposure.  While  there’s  no  firewall  for  stupidity,  users  can  —  and  should  —  be  periodically  exposed  to  messaging  that helps  to  bring  their  “radar  up”  to  avoid  disclosing  credentials,  biting  on  malware,  or  failing  to  report  odd  occurrences. Our  training  is  directed  at  3  populations:  users,  administrators,  and  executives  and  includes  attestation  management so you can prove to auditors that you’re meeting the requirement.